Vulnerability Name:
CVE-2022-23308 (CCN-220772)
Assigned:
2022-02-19
Published:
2022-02-19
Updated:
2022-11-02
Summary:
valid.c in libxml2 before 2.9.13 has a use-after-free of ID and IDREF attributes.
CVSS v3 Severity:
7.5 High
(CVSS v3.1 Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
)
6.7 Medium
(Temporal CVSS v3.1 Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
)
Exploitability Metrics:
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope:
Scope (S):
Unchanged
Impact Metrics:
Confidentiality (C):
None
Integrity (I):
None
Availibility (A):
High
5.3 Medium
(CCN CVSS v3.1 Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
)
4.8 Medium
(CCN Temporal CVSS v3.1 Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C
)
Exploitability Metrics:
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope:
Scope (S):
Unchanged
Impact Metrics:
Confidentiality (C):
None
Integrity (I):
None
Availibility (A):
Low
8.1 High
(REDHAT CVSS v3.1 Vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
)
7.3 High
(REDHAT Temporal CVSS v3.1 Vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
)
Exploitability Metrics:
Attack Vector (AV):
Network
Attack Complexity (AC):
High
Privileges Required (PR):
None
User Interaction (UI):
None
Scope:
Scope (S):
Unchanged
Impact Metrics:
Confidentiality (C):
High
Integrity (I):
High
Availibility (A):
High
CVSS v2 Severity:
4.3 Medium
(CVSS v2 Vector:
AV:N/AC:M/Au:N/C:N/I:N/A:P
)
Exploitability Metrics:
Access Vector (AV):
Network
Access Complexity (AC):
Medium
Authentication (Au):
None
Impact Metrics:
Confidentiality (C):
None
Integrity (I):
None
Availibility (A):
Partial
5.0 Medium
(CCN CVSS v2 Vector:
AV:N/AC:L/Au:N/C:N/I:N/A:P
)
Exploitability Metrics:
Access Vector (AV):
Network
Access Complexity (AC):
Low
Athentication (Au):
None
Impact Metrics:
Confidentiality (C):
None
Integrity (I):
None
Availibility (A):
Partial
Vulnerability Type:
CWE-416
Vulnerability Consequences:
Denial of Service
References:
Source: MITRE
Type: CNA
CVE-2022-23308
Source: FULLDISC
Type: Mailing List, Third Party Advisory
20220516 APPLE-SA-2022-05-16-4 Security Update 2022-004 Catalina
Source: FULLDISC
Type: Mailing List, Third Party Advisory
20220516 APPLE-SA-2022-05-16-1 iOS 15.5 and iPadOS 15.5
Source: FULLDISC
Type: Mailing List, Third Party Advisory
20220516 APPLE-SA-2022-05-16-3 macOS Big Sur 11.6.6
Source: FULLDISC
Type: Mailing List, Third Party Advisory
20220516 APPLE-SA-2022-05-16-5 watchOS 8.6
Source: FULLDISC
Type: Mailing List, Third Party Advisory
20220516 APPLE-SA-2022-05-16-6 tvOS 15.5
Source: FULLDISC
Type: Mailing List, Third Party Advisory
20220516 APPLE-SA-2022-05-16-2 macOS Monterey 12.4
Source: XF
Type: UNKNOWN
libxml2-cve202223308-dos(220772)
Source: CCN
Type: libxml2 GIT Repository
libxml2
Source: CCN
Type: libxml2 GIT Repository
[CVE-2022-23308] Use-after-free of ID and IDREF attributes
Source: CONFIRM
Type: Patch, Third Party Advisory
https://github.com/GNOME/libxml2/commit/652dd12a858989b14eed4e84e453059cd3ba340e
Source: MISC
Type: Release Notes, Third Party Advisory
https://gitlab.gnome.org/GNOME/libxml2/-/blob/v2.9.13/NEWS
Source: MLIST
Type: Mailing List, Third Party Advisory
[debian-lts-announce] 20220408 [SECURITY] [DLA 2972-1] libxml2 security update
Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2022-050c712ed7
Source: GENTOO
Type: Third Party Advisory
GLSA-202210-03
Source: CONFIRM
Type: Third Party Advisory
https://security.netapp.com/advisory/ntap-20220331-0008/
Source: CCN
Type: Apple security document HT213253
About the security content of watchOS 8.6
Source: CCN
Type: Apple security document HT213254
About the security content of tvOS 15.5
Source: CCN
Type: Apple security document HT213255
About the security content of Security Update 2022-004 Catalina
Source: CCN
Type: Apple security document HT213256
About the security content of macOS Big Sur 11.6.6
Source: CCN
Type: Apple security document HT213257
About the security content of macOS Monterey 12.4
Source: CCN
Type: Apple security document HT213258
About the security content of iOS 15.5 and iPadOS 15.5
Source: CONFIRM
Type: Third Party Advisory
https://support.apple.com/kb/HT213253
Source: CONFIRM
Type: Third Party Advisory
https://support.apple.com/kb/HT213254
Source: CONFIRM
Type: Third Party Advisory
https://support.apple.com/kb/HT213255
Source: CONFIRM
Type: Third Party Advisory
https://support.apple.com/kb/HT213256
Source: CONFIRM
Type: Third Party Advisory
https://support.apple.com/kb/HT213257
Source: CONFIRM
Type: Third Party Advisory
https://support.apple.com/kb/HT213258
Source: CCN
Type: IBM Security Bulletin 6586492 (MQ Operator CD release)
IBM MQ Operator and Queue manager container images are vulnerable to multiple vulnerabilities from expat, Golang Go, gcc, openssl and libxml.
Source: CCN
Type: IBM Security Bulletin 6601731 (Security Verify Access)
Multiple security vulnerabilities fixed in IBM Security Verify Access Appliance (CVE-2022-23308, CVE-2021-23840, CVE-2021-23841, CVE-2021-3712)
Source: CCN
Type: IBM Security Bulletin 6607135 (QRadar SIEM)
IBM QRadar SIEM Application Framework Base Image is vulnerable to using components with Known Vulnerabilities
Source: CCN
Type: IBM Security Bulletin 6612837 (InfoSphere Identity Insight)
IBM InfoSphere Identity Insight vulnerabilities in third party libraries (CVE-2021-39239, CVE-2022-23308, CVE-2021-29424, CVE-2020-15250, 177835)
Source: CCN
Type: IBM Security Bulletin 6831813 (Netcool Operations Insight)
Netcool Operations Insight v1.6.6 contains fixes for multiple security vulnerabilities.
Source: CCN
Type: IBM Security Bulletin 6832956 (Cloud Pak for Security)
IBM Cloud Pak for Security is vulnerable to using components with known vulnerabilities
Source: CCN
Type: IBM Security Bulletin 6856409 (Cloud Pak for Security)
IBM Cloud Pak for Security includes components with multiple known vulnerabilities
Source: CCN
Type: Oracle CPUJul2022
Oracle Critical Patch Update Advisory - July 2022
Source: N/A
Type: Patch, Third Party Advisory
N/A
Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2022-23308
Vulnerable Configuration:
Configuration 1
:
cpe:/a:xmlsoft:libxml2:*:*:*:*:*:*:*:*
(Version < 2.9.13)
Configuration 2
:
cpe:/o:fedoraproject:fedora:34:*:*:*:*:*:*:*
Configuration 3
:
cpe:/o:debian:debian_linux:9.0:*:*:*:*:*:*:*
Configuration 4
:
cpe:/o:apple:mac_os_x:10.15.7:security_update_2020-001:*:*:*:*:*:*
OR
cpe:/o:apple:mac_os_x:10.15.7:security_update_2021-001:*:*:*:*:*:*
OR
cpe:/o:apple:mac_os_x:10.15.7:security_update_2021-002:*:*:*:*:*:*
OR
cpe:/o:apple:mac_os_x:10.15.7:*:*:*:*:*:*:*
OR
cpe:/o:apple:mac_os_x:10.15.7:security_update_2021-003:*:*:*:*:*:*
OR
cpe:/o:apple:mac_os_x:10.15.7:security_update_2021-004:*:*:*:*:*:*
OR
cpe:/o:apple:mac_os_x:10.15.7:security_update_2021-005:*:*:*:*:*:*
OR
cpe:/o:apple:mac_os_x:10.15.7:security_update_2021-006:*:*:*:*:*:*
OR
cpe:/o:apple:mac_os_x:10.15.7:security_update_2021-008:*:*:*:*:*:*
OR
cpe:/o:apple:mac_os_x:10.15.7:security_update_2022-001:*:*:*:*:*:*
OR
cpe:/o:apple:mac_os_x:10.15.7:security_update_2021-007:*:*:*:*:*:*
OR
cpe:/o:apple:iphone_os:*:*:*:*:*:*:*:*
(Version < 15.5)
OR
cpe:/o:apple:watchos:*:*:*:*:*:*:*:*
(Version < 8.6)
OR
cpe:/o:apple:tvos:*:*:*:*:*:*:*:*
(Version < 15.5)
OR
cpe:/o:apple:ipados:*:*:*:*:*:*:*:*
(Version < 15.5)
OR
cpe:/o:apple:macos:*:*:*:*:*:*:*:*
(Version >= 12.0 and < 12.4)
OR
cpe:/o:apple:mac_os_x:10.15.7:security_update_2022-003:*:*:*:*:*:*
OR
cpe:/o:apple:mac_os_x:*:*:*:*:*:*:*:*
(Version >= 10.15.0 and < 10.15.7)
OR
cpe:/o:apple:macos:*:*:*:*:*:*:*:*
(Version >= 11.6.0 and < 11.6.6)
Configuration 5
:
cpe:/a:netapp:snapdrive:-:*:*:*:*:unix:*:*
OR
cpe:/a:netapp:snapmanager:-:*:*:*:*:oracle:*:*
OR
cpe:/a:netapp:ontap_select_deploy_administration_utility:-:*:*:*:*:*:*:*
OR
cpe:/a:netapp:clustered_data_ontap:-:*:*:*:*:*:*:*
OR
cpe:/a:netapp:smi-s_provider:-:*:*:*:*:*:*:*
OR
cpe:/a:netapp:clustered_data_ontap_antivirus_connector:-:*:*:*:*:*:*:*
OR
cpe:/a:netapp:solidfire_&_hci_management_node:-:*:*:*:*:*:*:*
OR
cpe:/a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*
OR
cpe:/a:netapp:manageability_software_development_kit:-:*:*:*:*:*:*:*
OR
cpe:/a:netapp:solidfire,_enterprise_sds_&_hci_storage_node:-:*:*:*:*:*:*:*
Configuration 6
:
cpe:/o:netapp:bootstrap_os:-:*:*:*:*:*:*:*
AND
cpe:/h:netapp:hci_compute_node:-:*:*:*:*:*:*:*
Configuration 7
:
cpe:/o:netapp:h300s_firmware:-:*:*:*:*:*:*:*
AND
cpe:/h:netapp:h300s:-:*:*:*:*:*:*:*
Configuration 8
:
cpe:/o:netapp:h500s_firmware:-:*:*:*:*:*:*:*
AND
cpe:/h:netapp:h500s:-:*:*:*:*:*:*:*
Configuration 9
:
cpe:/o:netapp:h700s_firmware:-:*:*:*:*:*:*:*
AND
cpe:/h:netapp:h700s:-:*:*:*:*:*:*:*
Configuration 10
:
cpe:/o:netapp:h300e_firmware:-:*:*:*:*:*:*:*
AND
cpe:/h:netapp:h300e:-:*:*:*:*:*:*:*
Configuration 11
:
cpe:/o:netapp:h500e_firmware:-:*:*:*:*:*:*:*
AND
cpe:/h:netapp:h500e:-:*:*:*:*:*:*:*
Configuration 12
:
cpe:/o:netapp:h700e_firmware:-:*:*:*:*:*:*:*
AND
cpe:/h:netapp:h700e:-:*:*:*:*:*:*:*
Configuration 13
:
cpe:/o:netapp:h410s_firmware:-:*:*:*:*:*:*:*
AND
cpe:/h:netapp:h410s:-:*:*:*:*:*:*:*
Configuration 14
:
cpe:/o:netapp:h410c_firmware:-:*:*:*:*:*:*:*
AND
cpe:/h:netapp:h410c:-:*:*:*:*:*:*:*
Configuration 15
:
cpe:/a:oracle:zfs_storage_appliance_kit:8.8:*:*:*:*:*:*:*
OR
cpe:/a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:22.1.0:*:*:*:*:*:*:*
OR
cpe:/a:oracle:communications_cloud_native_core_network_repository_function:22.2.0:*:*:*:*:*:*:*
OR
cpe:/a:oracle:communications_cloud_native_core_network_repository_function:22.1.2:*:*:*:*:*:*:*
OR
cpe:/a:oracle:communications_cloud_native_core_unified_data_repository:22.2.0:*:*:*:*:*:*:*
OR
cpe:/a:oracle:communications_cloud_native_core_binding_support_function:22.2.0:*:*:*:*:*:*:*
OR
cpe:/a:oracle:communications_cloud_native_core_network_slice_selection_function:22.1.1:*:*:*:*:*:*:*
OR
cpe:/a:oracle:mysql_workbench:*:*:*:*:*:*:*:*
(Version <= 8.0.29)
Configuration RedHat 1
:
cpe:/a:redhat:enterprise_linux:8:*:*:*:*:*:*:*
Configuration RedHat 2
:
cpe:/a:redhat:enterprise_linux:8::appstream:*:*:*:*:*
Configuration RedHat 3
:
cpe:/o:redhat:enterprise_linux:8:*:*:*:*:*:*:*
Configuration RedHat 4
:
cpe:/o:redhat:enterprise_linux:8::baseos:*:*:*:*:*
Configuration CCN 1
:
cpe:/a:xmlsoft:libxml2:2.9.4:-:*:*:*:*:*:*
OR
cpe:/a:xmlsoft:libxml2:2.9.8:-:*:*:*:*:*:*
AND
cpe:/a:ibm:infosphere_identity_insight:9.0:*:*:*:*:*:*:*
OR
cpe:/a:ibm:qradar_security_information_and_event_manager:7.3:*:*:*:*:*:*:*
OR
cpe:/a:ibm:qradar_security_information_and_event_manager:7.4:-:*:*:*:*:*:*
OR
cpe:/a:ibm:security_verify_access:10.0.2.0:*:*:*:*:*:*:*
OR
cpe:/a:ibm:security_verify_access:10.0.0.0:*:*:*:*:*:*:*
OR
cpe:/a:ibm:security_verify_access:10.0.1.0:*:*:*:*:*:*:*
OR
cpe:/a:ibm:security_verify_access:10.0.3.0:*:*:*:*:*:*:*
OR
cpe:/a:ibm:cloud_pak_for_security:1.10.0.0:*:*:*:*:*:*:*
OR
cpe:/a:ibm:cloud_pak_for_security:1.10.2.0:*:*:*:*:*:*:*
Denotes that component is vulnerable
Oval Definitions
Definition ID
Class
Title
Last Modified
oval:org.opensuse.security:def:7702
P
libxml2-2-2.10.3-150500.3.1 on GA media (Moderate)
2023-06-12
oval:org.opensuse.security:def:95283
P
Security update for libxml2 (Important)
2022-07-26
oval:org.opensuse.security:def:600
P
Security update for libxml2 (Important)
2022-07-26
oval:org.opensuse.security:def:3653
P
Security update for libxml2 (Important)
2022-07-26
oval:org.opensuse.security:def:3110
P
jakarta-taglibs-standard-1.1.1-255.2 on GA media (Moderate)
2022-06-28
oval:org.opensuse.security:def:94740
P
libxml2-2-2.9.12-150400.3.4 on GA media (Moderate)
2022-06-22
oval:org.opensuse.security:def:42388
P
Security update for libxml2 (Important)
2022-05-19
oval:org.opensuse.security:def:893
P
Security update for libxml2 (Important)
2022-05-19
oval:org.opensuse.security:def:119208
P
Security update for libxml2 (Important)
2022-05-19
oval:org.opensuse.security:def:119583
P
Security update for libxml2 (Important)
2022-05-19
oval:org.opensuse.security:def:118901
P
Security update for libxml2 (Important)
2022-05-19
oval:org.opensuse.security:def:1584
P
Security update for libxml2 (Important)
2022-05-19
oval:org.opensuse.security:def:491
P
Security update for libxml2 (Important)
2022-05-19
oval:org.opensuse.security:def:119398
P
Security update for libxml2 (Important)
2022-05-19
oval:org.opensuse.security:def:118711
P
Security update for libxml2 (Important)
2022-05-19
oval:org.opensuse.security:def:42289
P
Security update for libxml2 (Important)
2022-05-19
oval:org.opensuse.security:def:101626
P
Security update for libxml2 (Important) (in QA)
2022-04-29
oval:org.opensuse.security:def:102145
P
Security update for libxml2 (Important) (in QA)
2022-04-29
oval:org.opensuse.security:def:126866
P
Security update for libxml2 (Important)
2022-04-22
oval:org.opensuse.security:def:5223
P
Security update for libxml2 (Important)
2022-04-22
oval:org.opensuse.security:def:127263
P
Security update for libxml2 (Important)
2022-04-22
oval:org.opensuse.security:def:6017
P
Security update for libxml2 (Important)
2022-04-22
oval:org.opensuse.security:def:125700
P
Security update for libxml2 (Important)
2022-04-22
oval:org.opensuse.security:def:42435
P
Security update for python-libxml2-python (Important)
2022-04-19
oval:com.redhat.rhsa:def:20220899
P
RHSA-2022:0899: libxml2 security update (Moderate)
2022-03-15
oval:org.opensuse.security:def:1587
P
Security update for python-libxml2-python (Important)
2022-03-10
oval:org.opensuse.security:def:119518
P
Security update for python-libxml2-python (Important)
2022-03-10
oval:org.opensuse.security:def:118840
P
Security update for python-libxml2-python (Important)
2022-03-10
oval:org.opensuse.security:def:100093
P
(Important)
2022-03-10
oval:org.opensuse.security:def:101659
P
Security update for python-libxml2-python (Important)
2022-03-10
oval:org.opensuse.security:def:99224
P
(Important)
2022-03-10
oval:org.opensuse.security:def:967
P
Security update for python-libxml2-python (Important)
2022-03-10
oval:org.opensuse.security:def:100431
P
(Important)
2022-03-10
oval:org.opensuse.security:def:119335
P
Security update for python-libxml2-python (Important)
2022-03-10
oval:org.opensuse.security:def:99498
P
(Important)
2022-03-10
oval:org.opensuse.security:def:119703
P
Security update for python-libxml2-python (Important)
2022-03-10
oval:org.opensuse.security:def:119030
P
Security update for python-libxml2-python (Important)
2022-03-10
oval:org.opensuse.security:def:100765
P
(Important)
2022-03-10
oval:org.opensuse.security:def:102147
P
Security update for python-libxml2-python (Important)
2022-03-10
oval:org.opensuse.security:def:99760
P
(Important)
2022-03-10
oval:org.opensuse.security:def:119141
P
Security update for python-libxml2-python (Important)
2022-03-10
BACK
xmlsoft
libxml2 *
fedoraproject
fedora 34
debian
debian linux 9.0
apple
mac os x 10.15.7 security_update_2020-001
apple
mac os x 10.15.7 security_update_2021-001
apple
mac os x 10.15.7 security_update_2021-002
apple
mac os x 10.15.7
apple
mac os x 10.15.7 security_update_2021-003
apple
mac os x 10.15.7 security_update_2021-004
apple
mac os x 10.15.7 security_update_2021-005
apple
mac os x 10.15.7 security_update_2021-006
apple
mac os x 10.15.7 security_update_2021-008
apple
mac os x 10.15.7 security_update_2022-001
apple
mac os x 10.15.7 security_update_2021-007
apple
iphone os *
apple
watchos *
apple
tvos *
apple
ipados *
apple
macos *
apple
mac os x 10.15.7 security_update_2022-003
apple
mac os x *
apple
macos *
netapp
snapdrive -
netapp
snapmanager -
netapp
ontap select deploy administration utility -
netapp
clustered data ontap -
netapp
smi-s provider -
netapp
clustered data ontap antivirus connector -
netapp
solidfire & hci management node -
netapp
active iq unified manager -
netapp
manageability software development kit -
netapp
solidfire, enterprise sds & hci storage node -
netapp
bootstrap os -
netapp
hci compute node -
netapp
h300s firmware -
netapp
h300s -
netapp
h500s firmware -
netapp
h500s -
netapp
h700s firmware -
netapp
h700s -
netapp
h300e firmware -
netapp
h300e -
netapp
h500e firmware -
netapp
h500e -
netapp
h700e firmware -
netapp
h700e -
netapp
h410s firmware -
netapp
h410s -
netapp
h410c firmware -
netapp
h410c -
oracle
zfs storage appliance kit 8.8
oracle
communications cloud native core network function cloud native environment 22.1.0
oracle
communications cloud native core network repository function 22.2.0
oracle
communications cloud native core network repository function 22.1.2
oracle
communications cloud native core unified data repository 22.2.0
oracle
communications cloud native core binding support function 22.2.0
oracle
communications cloud native core network slice selection function 22.1.1
oracle
mysql workbench *
xmlsoft
libxml2 2.9.4 -
xmlsoft
libxml2 2.9.8 -
ibm
infosphere identity insight 9.0
ibm
qradar security information and event manager 7.3
ibm
qradar security information and event manager 7.4 -
ibm
security verify access 10.0.2.0
ibm
security verify access 10.0.0.0
ibm
security verify access 10.0.1.0
ibm
security verify access 10.0.3.0
ibm
cloud pak for security 1.10.0.0
ibm
cloud pak for security 1.10.2.0
Denotes that component is vulnerable